diff --git a/controllers/kustomization_controller_test.go b/controllers/kustomization_controller_test.go index bdf69ac5..06a88b36 100644 --- a/controllers/kustomization_controller_test.go +++ b/controllers/kustomization_controller_test.go @@ -438,7 +438,7 @@ func kubeConfigSecret() (*corev1.Secret, error) { Name: "kubeconfig", }, Data: map[string][]byte{ - "value": kubeConfig, + "value.yaml": kubeConfig, }, }, nil } diff --git a/controllers/kustomization_impersonation.go b/controllers/kustomization_impersonation.go index c013951b..bc067a9e 100644 --- a/controllers/kustomization_impersonation.go +++ b/controllers/kustomization_impersonation.go @@ -195,8 +195,15 @@ func (ki *KustomizeImpersonation) getKubeConfig(ctx context.Context) ([]byte, er return nil, fmt.Errorf("unable to read KubeConfig secret '%s' error: %w", secretName.String(), err) } - kubeConfig, ok := secret.Data["value"] - if !ok { + var kubeConfig []byte + for k, _ := range secret.Data { + if k == "value" || k == "value.yaml" { + kubeConfig = secret.Data[k] + break + } + } + + if len(kubeConfig) == 0 { return nil, fmt.Errorf("KubeConfig secret '%s' doesn't contain a 'value' key ", secretName.String()) } diff --git a/docs/spec/v1beta1/kustomization.md b/docs/spec/v1beta1/kustomization.md index fc569aba..5bc675db 100644 --- a/docs/spec/v1beta1/kustomization.md +++ b/docs/spec/v1beta1/kustomization.md @@ -845,11 +845,10 @@ If the `kubeConfig` field is set, objects will be applied, health-checked, prune cluster specified in that KubeConfig instead of using the in-cluster ServiceAccount. The secret defined in the `kubeConfig.SecretRef` must exist in the same namespace as the Kustomization. -On every reconciliation, the KubeConfig bytes will be loaded from the `values` key of the secret's data, and -the secret can thus be regularly updated if cluster-access-tokens have to rotate due to expiration. +On every reconciliation, the KubeConfig bytes will be loaded from the `value` or `value.yaml` key of the secret's data, +and the secret can thus be regularly updated if cluster-access-tokens have to rotate due to expiration. -This composes well with Cluster API bootstrap providers such as CAPBK (kubeadm) as well as the CAPA (AWS) EKS -integration. +This composes well with Cluster API bootstrap providers such as CAPBK (kubeadm), CAPA (AWS) and others. To reconcile a Kustomization to a CAPI controlled cluster, put the `Kustomization` in the same namespace as your `Cluster` object, and set the `kubeConfig.secretRef.name` to `-kubeconfig`: @@ -908,7 +907,7 @@ cluster where kustomize-controller is running e.g.: ```sh kubectl create secret generic prod-kubeconfig \ - --from-file=value=./kubeconfig + --from-file=value.yaml=./kubeconfig ``` > **Note** that the KubeConfig should be self-contained and not rely on binaries, environment,